VulnCon 2026 Workshop

Whack-a-Clue: Chasing Timestamps across the World

Whack-a-Clue: Chasing Timestamps across the World

Modern threat actors don’t rely on a single persistence mechanism — they weaponize time itself.

From autorun entries and scheduled tasks to registry-based triggers, Git hooks, IoT callbacks, and logic-driven execution chains, sophisticated malware quietly spreads across heterogeneous environments and activates under carefully crafted conditions.

These artefacts surface across laptops, servers, mobile devices, embedded systems, and cloud-connected infrastructure, leaving investigators with the difficult task of reconstructing a coherent chain of infection from fragmented evidence.

This workshop explores how investigators can automatically correlate and reconstruct those events by building a lightweight forensic timeline engine in Go.

What Participants Will Build

Participants will implement a lightweight, cross-platform forensic tooling pipeline capable of:

  • Parsing artefacts from multiple operating systems
  • Normalizing heterogeneous timestamp formats
  • Correlating events into a unified timeline
  • Visualizing infection chains and propagation paths
  • Producing investigative timelines without relying on commercial DFIR suites

Who Should Attend

DFIR practitioners
Malware analysts
Incident responders
Threat hunters
Security researchers
Go developers exploring security tooling

Learning Objectives

Understand why Go is ideal for forensic tooling
Identify persistence artefacts
Normalize cross-platform timestamps
Construct forensic timelines
Handle timeline inconsistencies
Reconstruct infection chains

Workshop Flow

01

Kickoff & Motivation

Timeline reconstruction in DFIR and how malware leverages time-based execution.

02

Go for Forensics

Go fundamentals, static binaries, concurrency, and filesystem handling.

03

Infection Chain Fundamentals

Persistence artefacts, propagation techniques, and investigative indicators.

04

Timestamp Parsing & Correlation

Normalizing formats, sorting events, and generating timelines.

05

Real-World Caveats

Clock skew, timezone inconsistencies, and anti-forensic behaviour.

06

Hands-On Case Study

Reconstructing a simulated multi-device infection chain using Go tooling.

Wrap-Up & Discussion

Discussion around extending the tooling, integrating it into DFIR workflows, and handling real-world investigative challenges.

Participants are encouraged to continue evolving the prototype into custom forensic pipelines tailored to their own environments.

Workshop Speakers

Experts & Mentors

Dr. Gaurav Gogia

Dr. Gaurav Gogia

Sr. Software Engineer II @ Fujitsu Research

Dr. Gaurav is a Sr. Software Engineer II @ Fujitsu Research with 5+ years of experience in DevSecOps, virtual patching, digital forensics, and security research. His work focuses on practical security engineering, malware analysis, and scalable investigative methodologies.

He has published multiple research papers and presented at conferences including VulnCon USA, NullCon, DFRWS, and GDG. He has also served as a guest lecturer at NFSU, mentoring students in security and forensics research.

Outside of security, he enjoys exploring cuisines, reading fiction, and playing video games.